Add padding to prevent data leakage

[robinvdvleuten]

It would prevent data leakage if it is possible to add padding to encrypted values. Especially when encrypting "enum" values. A good use case for padding is shown on the Lockbox README.

When pointed into the right direction, I can try to create a PR for this feature.

[danielberkompas]

@robinvdvleuten thanks for the suggestion!

The first step would be to create a Cloak.Padding module, similar to the one in Lockbox.

The pad/1 and unpad/1 functions might look something like this:

  def pad(str, size \\ 16) do
    if byte_size(str) < size do
      str
      |> Kernel.<>("\x80")
      |> String.pad_trailing(size - 1, "\x00")
    else
      str
    end
  end

  def unpad(str) do
    String.replace(str, ~r/\x80[\x00]+$/, "")
  end

The next step would be to extend the Cloak.Vault encrypt/decrypt functions to accept an opts argument, where opts[:padding] is the minimum number of bytes you want the ciphertext to be. When the function sees opts[:padding], it should use the Cloak.Padding module to pad the plaintext before encrypting it.

After that, we'd need to extend Cloak.Ecto.Type in the cloak_ecto library to accept a new :padding option in your type which it passes on to encrypt/decrypt, so that you could do this:

defmodule MyApp.PaddedEncryptedBinary do
  use Cloak.Ecto.Binary, vault: MyApp.Vault, padding: 32
end